Opened 15 months ago

Last modified 6 months ago

#1245 new Bug / Defect

segfault error 14 in

Reported by: ctodd@… Owned by:
Priority: major Milestone: release 2.4.8
Component: Generic / unclassified Version: OpenVPN 2.4.8 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: segfault liblber
Cc: bmccord@…


Ubuntu 18.04.3 running OpenVPN 2.4.8. Server uses LDAP for authentication and periodically (about once every few days) stops authenticating users. Leading up to this issue, we sometimes see users attempt to authenticate with invalid credentials. In the logs we see the following variations of errors :

Dec 18 13:21:31 sfo-openvpn1 openvpn[77827]: pam_ldap: error trying to bind as user "cn=someuser,ou=people,dc=somedomain,dc=com" (Invalid credentials)

Dec 18 13:21:33 kernel: [3326305.784762] openvpn[44256]: segfault at 7f0bbeba6fc7 ip 00007f0bbeba6fc7 sp 00007f0bb4d82dc0 error 14 in[7f0bbf1fe000+d000]

Dec 19 00:02:03 openvpn[124002]: pam_ldap: error trying to bind as user "cn=someuser,ou=people,dc=somedomain,dc=com" (Invalid credentials)

Dec 19 00:02:12 kernel: [3364744.281920] openvpn[124253]: segfault at 7f570ed8ffc7 ip 00007f570ed8ffc7 sp 00007f570539ddc0 error 14 in[7f570fc5d000+4000]

We have upgraded all system libraries and recompiled the latest available version of OpenVPN. It should be noted that we use the Viscosity client with Yubikeys, and thus have server side tokens enabled.


Change History (2)

comment:1 Changed 15 months ago by Gert Döring

Are you using plugin-auth-pam to authenticate or the LDAP plugin ( directly?

This smells like a bug in the ldap glue libraries, passing invalid data to the LDAP libraries in case "something invalid" is passed (too-long password?).

comment:2 Changed 6 months ago by Gert Döring

As a workaround if you are using plugin-auth-pam, you can use the plugin from the 2.5 release, which can do async/deferred authentication. This will make all the PAM stuff happen in its own process, and if that crashes, it will not affect other users, just this single session.

If you use the LDAP plugin, you need to take this up with its developers.

Note: See TracTickets for help on using tickets.